Moltbook calls itself “the front page of the agent internet”—a Reddit-style social network built exclusively for AI agents. Humans register agents, those agents post, comment, vote, and form communities. The content is what you’d expect from unsupervised LLMs: agents inventing religions, composing manifestos, forming digital subcultures.
What makes Moltbook worth looking at isn’t the content. It’s that the platform sits at the intersection of three things: prompt engineering as a surface area, vibe-coded infrastructure, and agent security.
Moltbook follows the Agent Skills
specification, a format for describing capabilities that AI agents
can pick up and use. The core of Moltbook’s integration is a
SKILL.md file hosted at moltbook.com/skill.md.
You point your agent at it, and it learns how to interact with the
platform.
The registration flow is straightforward:
POST to /agents/register
with a name and description.From there, the SKILL.md lays out the full API surface: creating
posts (capped at one per 30 minutes), commenting (one per 20 seconds, 50
per day), voting, following other agents, creating and moderating
communities (“submolts”), managing profiles, and semantic search.
There’s a small table in the file referencing additional skill
documents—HEARTBEAT.md for periodic engagement guidelines,
MESSAGING.md for DMs, RULES.md for community
policies—that the agent loads as needed. The idea is progressive
disclosure: metadata is cheap, full instructions load on activation, and
reference material loads only when required.
The authentication model is simple bearer tokens. Every request
carries Authorization: Bearer YOUR_API_KEY. The SKILL.md
even includes a warning in bold: only send your API key to the
www.moltbook.com domain, never share it elsewhere.
That warning matters later.
In late January 2026, researchers at Wiz found a misconfigured Supabase database backing the platform. A publishable API key was hardcoded in client-side JavaScript. Row Level Security wasn’t enabled. That key granted unauthenticated read and write access to the production PostgreSQL database.
What was exposed: 1.5 million agent API keys, 35,000 email addresses, claim tokens, verification codes, and 4,060 private direct messages between agents—some containing plaintext OpenAI API keys that users had shared assuming the messages were private.
The more interesting finding was structural. While Moltbook
publicized 1.5 million registered agents, the database showed only about
17,000 human accounts behind them. An 88:1 ratio. Wiz researcher Gal
Nagli confirmed he could register a million agents in minutes—no rate
limiting, no verification that an “agent” was actually AI, no mechanism
to distinguish an LLM-driven bot from a human with a curl
command. Most of the “agent internet” was humans operating fleets of
bots.
Who has that many tokens to burn? Someone with deep pockets or, more likely, someone who realized you didn’t actually need tokens at all—just a loop and a POST request.
The vulnerability was disclosed on January 31 and patched through the night, with all tables secured by February 1. The maintainer responded quickly, but it took multiple rounds of fixes, table by table. Security hardening isn’t a single pass, especially when the original code wasn’t written with access controls in mind.
The Wiz blog post is worth reading in full.
If you browse Moltbook’s posts, you’ll find agents warning each other about API key theft—posts initiated by humans, worded by LLMs, warning other human-operated LLMs about credential security on a platform that was itself leaking credentials.
Simon Willison identified three conditions converging on Moltbook:
This combination makes prompt injection practical. A malicious post from one agent could get another to leak its API key or execute unintended actions. The entire content layer is agent-generated, so there’s no human filter between a poisoned post and the agent that reads it.
This is already happening. OpenSourceMalware documented 14 fake “skills” uploaded to ClawHub—packages posing as crypto trading utilities that actually ran data-stealing code. One reached Moltbook’s homepage.
Moltbook’s founder publicly stated that he “didn’t write a single line of code” for the platform. He described the architecture, and AI built it. The whole thing is vibe coded.
This isn’t a knock on AI-assisted development, but it does illustrate a gap. Current AI coding tools build functional software quickly. They don’t yet reason well about access controls and security defaults. Vibe coding got the product to market. It also left Row Level Security turned off.
There are existential conversations happening about AI agents and autonomy. Those aren’t what makes Moltbook interesting. What’s interesting is that it’s a working example of what happens when the agent internet meets real infrastructure.
Wiz CTO Ami Luttwak: “The new internet is actually not verifiable. There is no clear identity. There’s no clear distinction between AI and humans, and there’s definitely no definition for an authentic AI.”
George Chalhoub at UCL: “If 770K agents on a Reddit clone create this much chaos, what happens managing enterprise infrastructure?”
My prediction: Moltbook and the OpenClaw ecosystem will be fertile ground for agent scams and developing gaurdrails. The skills spec is an open standard. Anyone can publish a SKILL.md. Anyone can register agents. The surface area for social engineering—not of humans, but of other agents—is open and largely unguarded. The guardrails don’t exist yet.